Fix a segmentation fault caused by using a pointer to a reallocated address. The name pointer in the uci_parse_config function becomes invalid if assert_eol calls uci_realloc down the line, resulting in a segmentation fault when attempting to dereference name. A simple fix is to call assert_eol before retrieving the actual address for the name and type pointers.
The segmentation fault has been found while fuzzing the uci configuration system for various types of different crashes and undefined behaviors, which resulted in multiple different import files causing instability and segmentation faults. Signed-off-by: Luka Kožnjak <[email protected]> Signed-off-by: Juraj Vijtiuk <[email protected]> CC: Luka Perkov <[email protected]> --- file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/file.c b/file.c index f5032bd..3cd7702 100644 --- a/file.c +++ b/file.c @@ -425,9 +425,9 @@ static void uci_parse_config(struct uci_context *ctx) uci_parse_error(ctx, "invalid character in type field"); ofs_name = next_arg(ctx, false, true, false); + assert_eol(ctx); type = pctx_str(pctx, ofs_type); name = pctx_str(pctx, ofs_name); - assert_eol(ctx); if (!name || !name[0]) { ctx->internal = !pctx->merge; -- 2.24.1 _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
